Cyber Attacks Hitting Global Stock Exchanges are Putting Financial Markets At Risk, According to a New Idustry Report

A "significant" number of stock exchanges have been hit by cyber-attacks over the past year, according to a recent study from a group representing global stock exchanges.

About 53 percent of exchanges surveyed by the International Organization of Securities Commissions and the World Federation of Exchanges had been hit by a cyber-attack, according to a study released Tuesday. Of the 46 exchanges around the world included in the survey, nearly a quarter of the exchanges who had been attacked were in the Asia-Pacific region.

“While there is uncertainty around the size of the cyber-crime threat in securities markets, there are clear signs that it is a growing threat to the financial sector, with potential for large costs,” wrote the study's co-authors, Iosco's Rohini Tendulkar and WFE's Gregoire Naacke.

The most common attacks against exchanges were malware and denial-of-service (DoS) attacks, where Websites and servers are overwhelmed trying to handle excessive volumes of Internet traffic. Other attacks included laptop and data thefts, Website scanning, and insider information theft. None of the exchanges reported financial theft as part of cyber-attacks.

"Attacks tend to be disruptive in nature, rather than motivated by financial gain," the report said.

So far, the attacks appear to have focused on non-trading-related online services and Websites. Back in February 2011, NASDAQ OMX Group discovered unknown adversaries had placed suspicious files on one of its applications which facilitated director communication. Trading platforms were not impacted, in that attack. NASDAQ and BATS Global Markets said in February last year that they were targeted with denial of service attacks.

“Cyber-crime also appears to be increasing in terms of sophistication and complexity, widening the potential for infiltration and large-scale damage," the report (PDF) said.

About 46 percent of the exchanges in the survey said there was no impact from cyber-attacks on the organization "because of preventative and detection mechanisms." About 21 percent said there was some disruption or unavailability of production and Web servers.

Even so, the increased attacks are worrisome because the markets are interconnected, which means there is a potential of a single attack having a widespread impact, the paper said. About 89 percent of the exchanges said cyber-attacks represents a systemic risk to markets.

"A number of respondents could envision a large-scale, coordinated and successful cyber-attack on financial markets having a substantial impact on market integrity and efficiency,” the study said. When asked to describe such an attack, the majority of the respondents suggested attack scenarios "with more far-reaching consequences," such as halting trading, manipulating data, targeting telecommunication networks, and affecting the functions of a clearing house, the authors wrote.

At least the senior executives in charge appear to be paying attention, as 93 percent of the exchanges said "cyber-threats are discussed and understood by senior management." Even more positive, 93 percent of respondents have disaster recovery protocols or measures in place to deal with the fallout of a cyber-attack.

All the organizations in the survey said they are able to identify an attack within 48 hours of it occurring. However, it is a little worrying that a quarter of the exchanges in the report said that current measures may not be sufficient to withstand a large-scale and coordinated attack.

While there wasn't a lot of information available on the costs of cyber-crime to securities markets, the exchanges in the survey said the monetary impact—both direct and indirect costs—of the attacks in 2012 were less than $1 million.

The majority of the exchanges said they share information about both attempted and successful cyber-attacks with securities regulatory, supervisory commissions, and other authorities. Only three organizations out of the whole survey said they share information with "peer institutions." Organizations felt the effective regulation and legislation, improved information sharing, and stronger internal measures would improve their security posture.

Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.